Hiding Mr.Fishit using FU (rootkit)

[iruleatants]

Firstly, This was created to assist people who bot with Mr.Fishit in hiding their process, and further more making Wow.exe from being able to detect it!!

Step one.

Download the rootkit from rootkit.com
(Easy right?) The problem is, most Anti-virus's will detect this as a Trojan. Because, technically it is. This is a good Trojan though, because it will hide what you want, and not do anything unwanted. So, most likely you will need to create an exception for your antivirus so it wont delete your precious files.

Step two.

So, you downloaded the rar, and now your wondering what to do.

Extract the rar file(You only need the files inside the folder EXE to save you more time, and specifically, "msdirectx.sys" and "FU.exe") to anywhere you want. After you have extracted the files, take the files "msdirectx.sys" and "FU.exe" and move them directly into MR.Fishits directory. This is what it should look like (Excluding the hidemeplease.exe name, which will be whatever you named mr.fishit, and the Bat file)



Step Three

Download the attached file, and extract it to your Mr.Fishit Directory. Right click on it and Edit. in the notepad window that opens, you ill see this


Start HIDETHISPLEASE.exe
FOR /F "tokens=3 delims=:" %%a in ('FU -pl 100 ^| FIND /I "hidethisplease"') do set P1D=%%a


Change HIDETHISPLEASE to the name of your Mrfishit.exe (I would recommend renaming it to something else, make sure that its not the same as anything that may run)

Step Four.
Double click Epic.bat and this do stuff as your normally would with mr.fishit.

Step Five(Extra)
To ensure it was hidden properly, Press "Ctrl+Shift+esc" then select applications find your Mrfishit window name and right click > Go to process. It should take you to the processes tab, but nothing should be highlighted. If there is something highlighted, you failed, try again.


RECAP.

1.rootkit.com
2."msdirectx.sys" and "FU.exe" in your Mrfishit directory
3.Download attached file
4.Extract to Mr.fishit directory
5.Edit and replace all instances of HIDETHISPLEASE with exe's name
6.Doubleclick the Batch file
7.Taskmanager, Go to process. Shouldnt exist.


Post in here if you need any help!.

P.S I will return after I have messed with changing permissions and such to try and add even more security.

EDIT: Cant attach the file. WTF
RapidShare: Easy Filehosting

[Nesox]

Looks nice i have fooled around with it some but without any major succes, ill give you a rep cookie tomorrow cant atm.

[djCorrupT]

does this also work with gliders? like zolo and FJB?

[wisner1431]

nvm.....[filler]

[wisner1431]

Step Three

Download the attached file, and extract it to your Mr.Fishit Directory. Right click on it and Edit. in the notepad window that opens, you ill see this\

What attached file?

[wisner1431]

Ok,
Didnt work,
did all that you told me to do,
made the bat file how you told me to do, still exists

Start Wisner
FOR /F "tokens=3 delims=:" %%a in ('FU -pl 100 ^| FIND /I "Wisner"') do set P1D=%%a
FU.exe -ph %P1D%
FU.exe -phd msdirectx.sys

[lhazar]

It's working here, great addition mate. I guess this could easily be used for masking any bot/clicker, right?

[dante_10]

The creater of this thread should've added that this rootkit doesn't work on vista since this driver isn't trusted (no licence) and if I remember right, the rootkit itself does not support vista (for people with some knowledge in programming: sdt callnumbers may be wrong).

[xknight]

The guide is good and it works!

I still have a question. Mr. Fish it makes a tray icon with its name. Wouldn´t it be cool to take it away?

Another question is:

This a rootkit well know so woun´t wow.exe find the rootkit and make you account suspicious?
The point I want to get is "It is really more safe to use the rootkit? :P"

Sory if it is a lame question. But at least I think it is an interesting one!

Thanks for the guide iruleatants!

[iruleatants]

Ok,
Didnt work,
did all that you told me to do,
made the bat file how you told me to do, still exists

Start Wisner
FOR /F "tokens=3 delims=:" %%a in ('FU -pl 100 ^| FIND /I "Wisner"') do set P1D=%%a
FU.exe -ph %P1D%
FU.exe -phd msdirectx.sys

Do you have the two required files in there?
Add the line PAUSE to the end of the bat and tell me what it says
And also, are you running more then a hundred processes?

It's working here, great addition mate. I guess this could easily be used for masking any bot/clicker, right?

Yes. Just by changing the process your hiding.

The guide is good and it works!

I still have a question. Mr. Fish it makes a tray icon with its name. Wouldn´t it be cool to take it away?

Another question is:

This a rootkit well know so woun´t wow.exe find the rootkit and make you account suspicious?
The point I want to get is "It is really more safe to use the rootkit? :P"

Sory if it is a lame question. But at least I think it is an interesting one!

Thanks for the guide iruleatants!

Talk to the maker about removing that, and as far as I know, WOW cant ban you for having rootkits, and doesnt search for rootkits. Its not WoW's job to make sure you computer is clean.....

[wisner1431]

I am running 55 processes,
yes, I put the Fu, and the msdirectx, and epic.

I right clicked Epic, edited,.

well shit i got vista, thats my problem.

[jerry_teps]

Nice. Always wanted to be able to hide processes. +Rep

[frostshock1]

Not working for me. I'm on XP Pro 32 bit. I did what you said above and added the pause command. For some reason I am getting "Access denied" to Fu.exe. This doesn't make any sense as I am logged in as an administrator. The only thing I have running in the background is my ATI and G15 control panels.

Edit: I think I found the problem. When AVG scanned it and detected it, I just closed the results. I think there was an option to automatically attempt a fix or whatever and that somehow messed with the fu and msdirectx files.

Right now it's working great. It is not showing up in my processes tab.

It IS showing up in my applications tab though. Is there any way to hide it from there as well?

And thank you for this!

[Aniecheres]

Ok nvm I found the file attachement*dur on me*

Now I got everything done and working so that when I double click on the Epic, it starts MrFishIt, i then go to my Ctrl Alt delete, go to applications, right click on Calc.exe(what I named my MrFishIt) but alas it does show up highlighted in my processes =( This makes me a sad panda as Im not sure where I went wrong.



Hmmmm as well I use Avast Anti Virus and It wont stop popping up telling me a trojan virus was detected, I know that the rootkit is a virsu(and if it does anything bad to my system so help me god) but how do I make it so that Avast stops freaking out about it?

[iruleatants]

Not working for me. I'm on XP Pro 32 bit. I did what you said above and added the pause command. For some reason I am getting "Access denied" to Fu.exe. This doesn't make any sense as I am logged in as an administrator. The only thing I have running in the background is my ATI and G15 control panels.

Edit: I think I found the problem. When AVG scanned it and detected it, I just closed the results. I think there was an option to automatically attempt a fix or whatever and that somehow messed with the fu and msdirectx files.

Right now it's working great. It is not showing up in my processes tab.

It IS showing up in my applications tab though. Is there any way to hide it from there as well?

And thank you for this!

There is no need to hide it from that tab so I wont even bother figuring a way out. This is why there is an option to rename the window. Name it something like "Winamp" or "Mozilla Firefox" or "Windows Live Messenger" There are countless things you can name it to and it will mask it perfectly, because all wow can do (and they dont) is read the name "Winamp" and the only conclusion is that its a music player....

Ok nvm I found the file attachement*dur on me*

Now I got everything done and working so that when I double click on the Epic, it starts MrFishIt, i then go to my Ctrl Alt delete, go to applications, right click on Calc.exe(what I named my MrFishIt) but alas it does show up highlighted in my processes =( This makes me a sad panda as Im not sure where I went wrong.



Hmmmm as well I use Avast Anti Virus and It wont stop popping up telling me a trojan virus was detected, I know that the rootkit is a virsu(and if it does anything bad to my system so help me god) but how do I make it so that Avast stops freaking out about it?

Thats why my guide says to DISABLE IT....

on-access protection - file exclusion - Powered by Kayako SupportSuite Help Desk Software

That should do it, please remember that they want the folder, not a specific file.